On Wed, Dec 09, 2009 at 10:25:10PM -0600, Joseph A Holsten wrote: > On Dec 9, 2009, at 9:42 AM, SitG Admin wrote: > > Chris Messina wrote: > >> Third, it suggests that whatever metadata the user doesn't provide > >> herself, a site author may attempt to harvest elsewhere. > > > > Which is something we need to establish best practices around, to > > discourage just that: the *attempt* to harvest correlating > > (meta)data elsewhere. Site authors who mix up authentication data > > and accidentally commit identity theft on the user's behalf will not > > be admired. > > Care to unpack that? I always felt that it's foolish not to use public > data to inform interaction with the user.
Another concern is preserving the end user's control over his data. The OpenID spec is good about keeping all the RP and OP conversations "in the open" (better than some other protocols that use backchannels more heavily). When someone logs in to our City web site to post an anonymous comment, he can see that we are not asking the OP for any information other than an OpenID identifier, and verify that the OP is not leaking any unrequested data. The sales pitch on openid.net currently says "You control how much personal information you choose to share with websites that accept OpenIDs" -- and that's a good thing. RP sites that wish to harvest additional info about an OpenID user "SHOULD" (in the RFC sense) only do so with the user's explicit consent. And they SHOULD only do so based on the OpenID identifier, as Shade points out. Don't ask LinkedIn about Peter Watkins, or they'll likely give you info on other IT geeks who share my name. Don't ask Wikipedia, as they'll tell you I direct movies. Ask them about the entity with the identifier I just authenticated as, and only if I say it's alright. -Peter _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
